Biz & IT —

WabiSabiLabi wants to be the eBay of 0-day exploits

A Swiss firm with the unusual name of WabiSabiLabi has launched an online …

Hard-working security researchers around the world aren't getting the cash they deserve for their work, argues new security marketplace WabiSabiLabi, so the Switzerland-based company has a solution: auction off vulnerabilities to the highest bidder.

The service was only launched last week, so it's not surprising that it has only attracted four vulnerabilities so far. Yahoo Messenger, Squirrelmail, and Linux all have security problems for sale, and at least two bidders are ready to plunk down the euros for them. It's hardly an iPhone-style launch, no doubt because many security researchers have reservations about auctioning off their work to the higher bidder or selling it to all comers.

Clearly aware that this is bound to be a controversial business model, WabiSabiLabi makes a counter-argument: their work is ethical because it more fairly compensates security researchers for their time and effort. According to the company, many independent researchers report bugs without ever getting paid for the hours they put in; opening their work up to the marketplace should ensure that the researchers get paid what their work is worth.

The company claims that it will vet all buyers and sellers, as well as verify the information being auctioned. Auction winners will receive the necessary exploit information along with a proof of concept demonstration, and are not allowed to buy and sell anonymously (to WabiSabiLabi, at least; the public won't know who buys and sells).

Auctioning off zero-day exploits is controversial in the security world, but WabiSabiLabi defends its practices by redefining terms. The first question in the company's FAQ list concerns zero-day exploits; the answer is simply, "first let's use the proper terminology, there is no zero day vulnerability, instead there is Security Research, which is the job of a skilled security researcher."

The name, which is as quirky as the business model, represents "a comprehensive Japanese world view or aesthetic centred on the acceptance of transience," according to the company. "The phrase comes from the two words wabi and sabi. The aesthetic is sometimes described as one of beauty that is 'imperfect, impermanent, and incomplete.' It is a concept derived from the Buddhist assertion of the Three marks of existence." Clear? Clear.

WabiSabiLabi recently issued a call for "security research" on the iPhone, but so far nothing has been posted.